// Trust & Security Report
Outreach Corporation
Outreach is an agentic AI revenue orchestration platform for sales engagement, deal management, conversation intelligence, forecasting, and account management; core sub-products include Outreach Voice (calling/recording), Outreach Omni, Agent Studio, Meeting Prep Agent, and Outreach MCP (integration layer for connecting the platform to other GTM tools/agents).
Certifications held
7
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on outreach.ai“SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications”
Verify on outreach.ai“Outreach has determined that our current security and data privacy controls, and certifications including ISO 27001 and ISO 27701, allow Outreach to adhere to the GDPR's requirements. Outreach maintains ISO 27001 certification (since 2015).”
Verify on outreach.ai“GDPR compliance requirements are built into the control framework Outreach is audited against as a part of our ISO 27701 certification.”
Verify on outreach.ai“Outreach became the first revenue technology company to achieve ISO/IEC 42001:2023 certification... ISO 42001 joins SOC 2 Type II, HIPAA, ISO/IEC 27001, and ISO/IEC 27701 in Outreach's compliance portfolio. Date achieved: July 15, 2025.”
Verify on support.outreach.io“Outreach maintains a HIPAA attestation and offers BAAs to customers who require them and meet specific requirements. Customers who have not executed a BAA are not permitted to store, process, or transmit protected health information (PHI) within the Outreach platform.”
Verify on outreach.ai“Trust page lists a 'Cloud Security Alliance (CSA)' heading followed by 'Security, Trust, Assurance, and Risk (STAR)' among Outreach's certifications. Confirmed present on the vendor Trust page, though gated audit documentation was not independently retrieved.”
Verify on outreach.ai“SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications; Data transfers from EU/UK/Switzerland use standard contractual clauses and EU-U.S. Data Privacy Framework compliance.”
> Show 3 unconfirmed / not-held certifications
source: outreach.aiNo public evidence of PCI DSS on Outreach's trust, security, or GDPR pages; not applicable as Outreach does not appear to process cardholder payment data as a core function.
source: outreach.aiNo public evidence of FedRAMP authorization on any Outreach-owned page.
source: outreach.aiNo public evidence of ISO 27017 or ISO 27018 specifically; Outreach's listed cloud-related certifications are ISO 27001 and ISO 27701 only.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
US-hosted (AWS) by default; an EU data center is available for customers requiring EU data tenancy ('Outreach's EU data center is available cross-platform for customers who require EU data tenancy' - outreach.ai/gdpr). EU/UK/Swiss transfers use SCCs and EU-U.S. Data Privacy Framework.
Outreach's ML models are trained on aggregated behavioral/usage signals ('3 billion+ signals used to train Outreach machine learning models', '33+ million action-outcome pairings captured weekly' per outreach.ai/platform/sales-ai), governed by 'customers' contractual commitments' rather than a documented self-serve opt-out. One narrow carve-out is explicit: 'Google Workspace Data is not used to develop, improve, or train AI and/or ML models' (privacy-statement). No public page states a blanket opt-out for all AI training on customer content; customers should confirm training scope/opt-out in their MSA and the AI Data Use Whitepaper (available only via Account Management, not public).
// Security controls
Encryption in transit
Data is encrypted in transit using industry-leading encryption standards.
outreach.aiEncryption at rest
Data is encrypted at rest using industry-leading encryption standards.
outreach.aiCloud infrastructure
Production infrastructure hosted on Amazon Web Services (AWS) as primary IaaS provider.
outreach.aiPenetration testing
Outreach contracts with industry-leading penetration testing providers to examine production architecture at least once a year.
outreach.aiBug bounty
Outreach employs a private bug bounty program with security researchers testing the platform continuously.
outreach.aiAccess controls
Granular role-based access controls; admins can define who can view, edit, or share content and grant/deny record visibility.
outreach.aiAI agent governance
Configurable agent controls define what agents can and can't do, with full audit trails for every action taken (per homepage; not independently detailed on the governance page beyond data/access controls).
outreach.aiData residency controls
Customers can control retention of voice recordings, meeting recordings, and emails; EU citizen data can be hosted in the EU data center.
outreach.aiSSO
Enterprise-grade encryption, SSO, and role-based access controls built to secure revenue data (per homepage marketing copy; not independently detailed with a protocol list on a dedicated security page).
outreach.aiTrust center access
Full certification documents, whitepapers, diagrams, and questionnaire responses are gated behind account executive / account management contact, not publicly downloadable.
outreach.ai// Products & data scope
data: CRM records, email, calendar, deal/pipeline data
Primary enterprise product; SOC 2 Type II, ISO 27001, ISO 27701 apply.
data: Call recordings, voice transcripts, consent-to-record data
Consent-to-record is customizable per local regulation; retention configurable by admins.
data: Aggregated behavioral signals, action-outcome data used for ML training
Newly ISO/IEC 42001-certified (AI management system, July 2025); training governed by contract terms, no public self-serve opt-out documented.
data: Cross-tool GTM data flow for agent actions
New capability enabling agents to act across connected tools; no distinct compliance documentation found separate from core platform.
data: Incidental/unintended PHI only; not designed to store PHI
HIPAA attestation + BAA available on request; customers without an executed BAA are NOT permitted to store, process, or transmit PHI in the platform. Outreach is explicitly a sales workflow tool, not a healthcare data system.
// What to watch
- Full trust-center documentation (audit reports, questionnaires) is gated behind 'contact your Account Executive' - not independently verifiable by AIFOXX beyond the public marketing-page claims.
- HIPAA is an attestation + optional BAA, not a formal government certification; product is explicitly NOT designed to store PHI and default (non-BAA) customers are prohibited from putting PHI into the platform. Do not list this as unconditional 'HIPAA compliant' - it is conditional and use-case-limited.
- No public, customer-facing opt-out for AI/ML training on general product usage data was found; only Google Workspace data has an explicit no-train carve-out. Training is described as governed by 'contractual commitments' rather than a documented default-off or self-serve toggle - potential over-claim risk if AIFOXX states 'does not train on customer data' without qualification.
- CSA STAR listing was sourced from a single vendor page (platform/trust) and not independently cross-confirmed on a second Outreach-owned page or the CSA STAR public registry; treat as vendor-claimed pending registry cross-check.
// At a glance
Pricing model
Enterprise B2B contract/quote-based (per-seat, tiered by platform capability); no self-serve public pricing found on captured/fetched pages.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Outreach Corporation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
outreach.ai